Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish the final released zip files to Maven Central also #1159

Open
nielsbasjes opened this issue Oct 5, 2024 · 12 comments
Open

Publish the final released zip files to Maven Central also #1159

nielsbasjes opened this issue Oct 5, 2024 · 12 comments

Comments

@nielsbasjes
Copy link

As discussed here https://lists.apache.org/thread/14xzmfgh6qn8qmlw8fdfbwszpox8gnv0
the desired change is also publish the artifacts to maven central in addition to the currently used Github releases page and the Apache download servers.

The normal maven ends up here
https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip

I propose to put the mvnd in a similar location with the intent of making it easily findable to others.
https://repo.maven.apache.org/maven2/org/apache/maven/apache-mvnd/1.0.2/...
@gnodet
Copy link
Contributor

gnodet commented Oct 5, 2024

Sure, could you write a script that does that ?

@slachiewicz
Copy link
Member

Maven Central requires artefacts to be signed. Question if it's allowed by ASF policy, to store pgp keys used to sign outside of your own release manager workstation?

@nielsbasjes
Copy link
Author

Perhaps a semi automated process?
First release it all the current way and then have a separate script that fetches, signs and publishes the artifacts from the developer machine?

@nielsbasjes
Copy link
Author

The files I see here are already signed https://downloads.apache.org/maven/mvnd/1.0.2/
How do they get there? Where are they signed?

@gnodet
Copy link
Contributor

gnodet commented Oct 5, 2024

The files I see here are already signed https://downloads.apache.org/maven/mvnd/1.0.2/

How do they get there? Where are they signed?

Using the script build/release-candidate.sh which should be run on the release manager laptop.

@gnodet
Copy link
Contributor

gnodet commented Oct 5, 2024

Maven Central requires artefacts to be signed. Question if it's allowed by ASF policy, to store pgp keys used to sign outside of your own release manager workstation?

I think using GitHub secrets could work. I managed to fully automate the JLine release process on GitHub, but it does have the ASF voting mechanism. But if we could semi automate releases for any ASF project , that would be nice.

@gzm55
Copy link
Contributor

gzm55 commented Oct 5, 2024

same issue #707

@gnodet
Copy link
Contributor

gnodet commented Oct 5, 2024

The files I see here are already signed https://downloads.apache.org/maven/mvnd/1.0.2/
How do they get there? Where are they signed?

Using the script build/release-candidate.sh which should be run on the release manager laptop.

The release process is documented at https://github.com/apache/maven-mvnd/blob/master/RELEASING.adoc

I'm open to any change, as long as it can be scripted.

@slachiewicz
Copy link
Member

https://infra.apache.org/release-distribution.html#sigs-and-sums

Looks like, the only limitation is to not store keys on ASF infra.
I haven't found requirements to use the key assigned to the person (but must be in KEYS), and infra recommends to have an automated sign.

@nielsbasjes
Copy link
Author

The release process is documented at https://github.com/apache/maven-mvnd/blob/master/RELEASING.adoc

I'm open to any change, as long as it can be scripted.

Looking at the scripting I see right now, how about this:

  • A new script build/publish-on-mavencentral.sh is added and which is called from build/release-publish.sh
  • This new script simply downloads all published files (including all the signature files and file hashes) from https://downloads.apache.org/maven/mvnd/${VERSION}
  • And then simply run the maven deploy plugin on each file to publish them as-is to maven central.

Would that work?

@gnodet
Copy link
Contributor

gnodet commented Oct 5, 2024

The release process is documented at https://github.com/apache/maven-mvnd/blob/master/RELEASING.adoc
I'm open to any change, as long as it can be scripted.

Looking at the scripting I see right now, how about this:

  • A new script build/publish-on-mavencentral.sh is added and which is called from build/release-publish.sh
  • This new script simply downloads all published files (including all the signature files and file hashes) from https://downloads.apache.org/maven/mvnd/${VERSION}
  • And then simply run the maven deploy plugin on each file to publish them as-is to maven central.

Would that work?

I think it would be better if the files would be published to http://repository.apache.org so that they can be linked during the vote. So maybe rather call it from release-candidate.sh, which would even be easier given we already have all the files available at that time. So upload all the files to the ASF nexus. Ideally, the script would close the repo, and the release-publish.sh would publish the repository to central. I'm not sure how those last two steps can be done. @cstamas may know...

@cstamas
Copy link
Member

cstamas commented Oct 6, 2024

i will just leave this here, as we need multiple aspects from it (different binaries built on different runners, etc):
https://gist.github.com/cstamas/69e6365bbb70521923020d68369bf8e5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cstamas @gnodet @nielsbasjes @gzm55 @slachiewicz